Tag: department of justice

What the Manual by DOJ’s Top Intelligence Lawyer Says About the FISA Amendments Act

To a casual observer, debates about national security spying can seem like a hopeless game of he-said/she-said. Government officials and congressional surveillance hawks characterize the authorities provided by measures like the FISA Amendments Act of 2008 in one way, while paranoid civil libertarians like me tell a more unsettling story. Who can say who’s right?

Fortunately, there is an authoritative unclassified source that explains what the law means: the revised 2012 edition of National Security Investigations and Prosecutions by David S. Kris (who headed the Justice Department’s National Security Division from 2009–2011) and J. Douglas Wilson. As the definitive (unclassified) treatise on what foreign intelligence surveillance law says, means, and permits, it’s the same resource you’d expect the government attorneys who apply for surveillance authority to consult for guidance on what the law does and doesn’t allow spy agencies to do. Let’s see what it says about the scope of surveillance authorized by the FAA:

[The FAA’s] certification provision states that the government under Section 1881a is “not required to identify the specific facilities, places premises, or property at which an acquisition … will be directed or conducted.” This is a significant grant of authority, because it allows for authorized acquisition—surveillance or a search—directed at any facility or location. For example, an authorization targeting “al Qaeda”—which is a non-U.S. person located abroad—could allow the government to wiretap any telephone that it believes will yield information from or about al Qaeda, either because the telephone is registered to a person whom the government believes is affiliated with al Qaeda, or because the government believes that the person communicates with others who are affiliated with al Qaeda, regardless of the location of the telephone. Unless the FISC attempts to address the issue under the rubric of minimization, no judge will contemporaneously review the government’s choice of facilities or places at which to direct acquisition. [….] Review of the certification is limited to the question “whether [it] contains all the required elements”; the FISC does not look behind the government’s assertion’s. Thus, for example, the FISC could not second-guess the government’s foreign intelligence purpose of conducting the acquisition, as long as the certification in fact asserts such a purpose.

Got that? The requirement that surveillance have a foreign “target” is satisfied if the general purpose of a wiretap program is to gather information about a foreign group like al Qaeda, and it employs procedures designed for that purpose. It does not mean that the particular phone numbers or e-mail accounts or other “facilities” targeted for surveillance have to belong to a foreigner: those could very well belong to an American citizen located within the United States, and no court or judge is required to approve or review the choice of which individuals to tap.

Kris and Wilson elaborate in a discussion of surveillance under the Protect America Act, the stopgap legislation that preceded the FAA, explaining how the language of the law could be exploited to conduct what most of us would think of as domestic surveillance despite the nominal requirement of a “foreign” target:

The concern was that the government could be said to “direct” surveillance at the entity abroad, but still monitor communications on a facility used (or used exclusively) by an individual U.S. person in this country. Indeed, the government in the recent past had taken the position that surveillance of a U.S. person’s home and mobile telephones was “directed at” al Qaeda, not at the U.S. person himself. Applied to the PAA, this logic seemed to allow surveillance of Americans’ telephones and e-mail accounts, inside the United States, without adherence to traditional FISA, as long as the government could persuade itself that the surveillance was indeed “directed” at al Qaeda or another foreign power that was reasonably believed to be abroad. When confronted with these concerns the government explicitly equated the PAA’s “directed at” standard with FISA’s “targeting” standard, meaning that acquisition was “directed” at an entity when the government was trying to acquire information from or about that entity.

More importantly for present purposes, the government’s equation of the “targeting” and “directed at” standards meant that concerns raised about the PAA applied equally to the FAA, which (as discussed above) authorizes acquisition “targeting” a “person” reasonably believed to be abroad, and explicitly adopts traditional FISA’s broad definition of the term “person.” The concern was that the government could use Section 1881a for an acquisition “targeting” al Qaeda, but “directed” at a facility or place used (or used exclusively) by John Smith, a U.S. person located in the United States, for Smith’s domestic communications. [Emphasis added.]

As Kris and Wilson note, Congress ultimately added a further limitation designed to allay such concerns, but it did not do so by prohibiting any flagging of Americans’ e-mail accounts or phone lines for interception and recording without a warrant. That is still allowed—though “minimization procedures” are then supposed to limit the retention and use of such information.

What Congress prohibited instead was the use of FAA surveillance to “intentionally acquire any communication as to which the sender and all intended recipients are known at the time of acquisition to be located in the United States.” But as Kris and Wilson point out, this restriction  “is imperfect because location is difficult to determine in the modern world of communications, and the restriction applies only when the government ‘knows’ that the communication is domestic.”

So to review: under the FAA, a court approves general procedures for surveillance “targeting” a foreign group. But the court does not approve or (necessarily) review any intelligence agency’s own discretionary determination about which specific people’s e-mail addresses, phone lines, or online accounts should be flagged for interception in order to gather information about that foreign group. The government’s past arguments indicate that it believes it may spy on the accounts or phones of individual American citizens located in the United States under an authorization to gather information about a foreign “target.” All the law requires is that they not intentionally record the American’s calls and e-mails when they are are known in advance to be to or from another American.

Remember: this isn’t my interpretation of the law. This isn’t speculation from someone at the American Civil Liberties Union or the Electronic Frontier Foundation about how the government might try to read the statute. This a legal reference text written by the lawyer who, until quite recently, ran the show at DOJ when it came to FISA surveillance. The next time you hear a member of Congress declare that the FAA has nothing to do with eavesdropping on Americans, ask yourself who is more likely to have  an accurate understanding of what the law really says.

What We Can and Can’t Know About NSA Spying: A Reply to Prof. Cordero

Georgetown Law professor Carrie Cordero—who previously worked at the Department of Justice improving privacy procedures for monitoring under the Foreign Intelligence Surveillance Act—attended our event with Sen. Ron Wyden (D-OR) on the FISA Amendments Act last week.  Perhaps unsurprisingly, she’s rather more comfortable with the surveillance authorized by the law than our speakers were, and posted some critical commentary at the Lawfare blog (which is, incidentally, required reading for national security and intelligence buffs). Marcy Wheeler has already posted her own reply, but I’d like to hit a few points as well. Here’s Cordero:

Since at least the summer of 2011, [Wyden and Sen. Mark Udall] have been pushing the Intelligence Community to provide more public information about how the FAA works, and how it affects the privacy rights of Americans. In particular, they have, in a series of letters, requested that the Executive Branch provide an estimate of the number of Americans incidentally intercepted during the course of FAA surveillance. According to the exchanges of letters, the Executive Branch has repeatedly denied the request, on the basis that: i) it would be an unreasonable burden on the workforce (and, presumably, would take intelligence professionals off their national security mission); and ii) gathering the data the senators are requesting would, in and of itself, violate privacy rights of Americans.

The workforce argument, even if true, is, of course, a loser. The question of whether the data call itself would violate privacy rights is a more interesting one. Multiple oversight personnel independent of the operational and analytical wings of the Intelligence Community – including the Office of Management and Budget, the NSA Inspector General, and just last month, the Inspector General of the Intelligence Community, have all said that the data call requested by the senators is not feasible. The other members of the SSCI appear to accept this claim on its face. Meanwhile, Senator Wyden states he just finds the claim unbelievable. That there must be some way it can be done, he says, if even on a sample basis. Maintaining that position puts him in an interesting place, however: is the privacy advocate actually advocating for violating the privacy rules, to appease a Congressional request? Assuming that he would not actually want to advocate that the rules be waived at the request of a politician, a question then arises as to whether the Intelligence Community has adequately explained exactly how the data call would work and why it would conflict with existing privacy rules and protections, such as minimization procedures.

I’ll grant Cordero this point: as absurd as it sounds to say “we can’t tell you how many Americans we’re spying on, because it would violate their privacy,” this might well be a concern if those of us who follow these issues from the outside are correct in our surmises about what NSA is doing under FAA authority. The only real restriction the law places on the initial interception of communications is that the NSA use “targeting procedures” designed to capture traffic to or from overseas groups and individuals. There’s an enormous amount of circumstantial evidence to suggest that initial acquisition is therefore extremely broad, with a large percentage of international communications traffic being fed into NSA databases for later querying. If that’s the case, then naturally the tiny subset of communications later reviewed by a human analyst—because they match far narrower criteria for suspicion—is going to be highly unrepresentative. To get even a rough statistical sample of what’s in the larger database, then, one would have to “inspect”—possibly using software—a whole lot of the innocent communications that wouldn’t otherwise ever be analyzed. And possibly the rules currently in place don’t make any allowance for querying the database—even to analyze metadata for the purpose of generating aggregate statistics—unless it’s directly related to an intelligence purpose.

A few points about this.  First: assuming, for the moment, that  this is the case, why can’t NSA and DOJ say so clearly and publicly? Because it would somehow imperil national security to characterize the surveillance program even at this highest level of generality, without any mention of particular search parameters or targets? Would it “help the terrorists” if they answered a more recent query from a bipartisan group of senators, asking whether database searches (as opposed to initial “targeting”) had focused on specific American citizens?  Please.

A  more plausible hypothesis is that they recognize that an official, public acknowledgement that the government is routinely copying and warehousing millions of completely innocent communications—even if they’re only looking at the “suspicious” minority— would not go over entirely smoothly with the citizenry. There might even be a demand for some public debate about whether this is the kind of thing we’re willing to countenance. Legal scholars might become curious whether whatever arguments support the constitutionality of this practice hold up as well in the light of the day as they do when they’re made unopposed in closed chambers. Even without an actual estimate, any meaningful discussion of the workings of the program would be likely to undermine the whole pretense that it only “incidentally” involves the communications of innocent Americans, or that the constraints on “targeting”constitute a meaningful safeguard.  The desire to avoid the whole hornet’s nest using the pretext of national security is perhaps understandable, but it shouldn’t be acceptable in a democracy. Yet everyone knows overclassification is endemic—even the government’s own former “classification czar” has blasted the government’s use of inappropriate secrecy as a weapon against critics.

Second, transparency at this level of generality is an essential component of privacy protection. To the extent that the rules governing  access to the database preclude any attempt to audit its aggregate contents—including by automated software tallying of identifiers such as area codes and IP addresses—then they should indeed be changed, not because a senator demanded it, but because they otherwise preclude adequate oversight. An online service that keeps no server logs would be somewhat more protective of its users privacy… if  its database were otherwise perfectly secure against intrusion or misuse. In the real world, where there’s no such thing as perfect security, such a service would be protecting user privacy extremely poorly, because it would lack the ability to detect and prevent breaches. If it is not possible to audit the NSA’s system in this way, then that system needs to be altered until it is possible. If giving Congress a rough sense of the extent of the agency’s surveillance of Americans falls outside the parameters of the intelligence mission (and therefore the permissible uses of the database), it’s time for a new mission statement.

Finally, Cordero closes by noting the SSCI has touted its own oversight as “extensive” and “robust,” which Cordero thinks “debunks” the  suggestion embedded in our event title that the FAA enables “mass spying without accountability.”  (Can I debunk the debunking by lauding the accuracy and thoroughness of my own analysis?)  Unfortunately, the consensus of most independent analysts of the intelligence committees’ performance is a good deal less sanguine—which makes me hesitant to take that self-assessment at face value.

As scholars frequently point out, the overseers are asked to process incredibly complex information with a limited cleared staff to assist them, and often forbidden to take notes at briefings or remove reports from secure facilities. When you read about those extensive reports, recall that in the run-up to the invasion of Iraq only six senators and a handful of representatives ever read past the executive summary of the National Intelligence Estimate on Iraq’s WMD programs to the far more qualified language of the  full 92-page report. You might think the intel committees would need to hold more hearings than their counterparts to compensate for these disadvantages, but UCLA’s Amy Zegart has found that they consistently rank at the bottom of the pack, year after year. Little wonder, then, that years of flagrant and systemic misuse of another controversial surveillance tool—National Security Letters—was not uncovered by the “extensive” and “robust” oversight of the intelligence committees, but by the Justice Department’s inspector general.

In any event, we seem to have at least 13 senators who don’t believe they’ve been provided with enough information to perform their oversight role adequately. Perhaps they’re setting the bar too high, but I find it more likely that their colleagues—who over time naturally grow to like and trust the intelligence officials upon whom they rely for their information—are a bit too easily satisfied. There are no  prizes for expending time, energy, and political capital on ferreting out civil liberties problems in covert intelligence programs, least of all in an election year. It’s far easier to be satisfied with whatever data the intelligence community deigns to dribble out—often with heroic indifference to statutory reporting deadlines—and take it on faith that everything’s running as smoothly as they say. That allows you to write, and even believe, that you’re conducting “robust” oversight without knowing (as Wyden’s letter suggests the committee members do not) roughly how many Americans are being captured in NSA’s database, how many purely-domestic communications have been intercepted,  whether warrantless “backdoor” targeting of Americans is being done via the selection of database queries. But the public need not be so easily satisfied, nor accept that meaningful “accountability” exists when all those extensive reports leave the overseers ignorant of so many basic facts.

Feds Delay ADA Pool Lift Rules Again

Did anyone think the U.S. Department of Justice was really up for a flood of “pool closes for fear of ADA liability” stories over Memorial Day weekend? So instead they’ve announced another delay in their rules, this time carrying them until safely after the election, specifically Jan. 31. The Department is murmuring about being “flexible” when it eventually gets around to enforcing the mandatory permanent-lift regulations, which have raised a storm of criticism (more here and here) as unreasonably burdensome to pool operators. The House has passed a rider cutting off funds for the enforcement of the regulation, over objections from Rep. Steny Hoyer (D-MD) and others, but the fate of the rider in the Senate is considered less promising.

Want Privacy? Increase Government Surveillance!

This morning, the Senate Judiciary Committee’s Subcommittee on Privacy, Technology, and the Law had a hearing entitled: “Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy.”

Among the witnesses was Deputy Assistant Attorney General Jason Weinstein from the Department of Justice’s Criminal Division. Weinstein made a gallingly Orwellian pitch: If you want privacy protection, increase government surveillance.

From his written statement:

ISPs may choose not to store IP records, may adopt a network architecture that frustrates their ability to track IP assignments and network transactions back to a specific account or device, or may store records for only a very short period of time. In many cases, these records are the only evidence that allows us to investigate and assign culpability for crimes committed on the Internet. In 2006, forty-nine Attorneys General wrote to Congress to express “grave concern” about “the problem of insufficient data retention policies by Internet Service Providers.”

Without more customer data retention by ISPs, and without greater government access to this data, the government won’t be able to prosecute crimes, some of which threaten privacy, Weinstein said in his spoken comments.

So there you have it. Turn more data over to the government so we can protect your privacy. War is peace. Freedom is slavery.

Google under Siege in the Corporate State

“Google is under siege in Washington like never before,” Politico reports.

In an interview with POLITICO, a Google spokesman argued that a cabal of antitrust lawyers, lobbyists and public relations firms is conspiring against the Internet search giant. The mastermind? Google says it’s Microsoft.

Maybe it’s irony, or maybe it’s payback.

In the 1990s, Microsoft was the tech industry wunderkind that got too big for its britches — and Google CEO Eric Schmidt, then an executive at Sun Microsystems and later Novell, helped knock the software titan down a peg by providing evidence in the government’s antitrust case against it… .

But there are also increasing calls from some Silicon Valley competitors and Washington-based public interest groups for the Justice Department to launch a sweeping antitrust probe of Google. The European Union and the state of Texas have reviews under way.

Google says its rivals are fueling the attacks.

You could have read it here first. In the November-December 2010 issue (pdf) of Cato Policy Report, Adam Thierer wrote, “The high-tech policy scene within the Beltway has become a cesspool of backstabbing politics, hypocritical policy positions, shameful PR tactics, and bloated lobbying budgets.” The telcos, the broadcasters, the wireless industry, the entertainment industry – they all want the federal government to crush their competitors. And, he said, “Everybody — and I do mean everybody — wants Google dead, right now. Google currently serves as the Great Satan in this drama — taking over the role Microsoft filled a decade ago — as just about everyone views it with a combination of envy and enmity.” But then:

Of course, in a sense, Google had it coming. The company has been the biggest cheerleader in the push to impose “Net neutrality” regulation on the Internet’s physical infrastructure providers, which would let the FCC toss property rights out the window and regulate broadband networks to their heart’s content.

Meanwhile, along with Skype and others, Google wants the FCC to impose “openness” mandates on wireless networks that would allow the agency to dictate terms of service. It’s no surprise, then, that the cable, telco, and wireless crowd are firing back and now hinting we need “search neutrality” to constrain the search giant’s growing market power. File it under “mutually assured destruction” for the Information Age.

Google had it coming in another sense, having joined the decade-long effort by myriad Silicon Valley actors to hobble Microsoft through incessant antitrust harassment.Google has hammered Microsoft in countless legal and political proceedings here and abroad.

Thierer also noted that you could have predicted all this by reading Cato publications a decade earlier, such as Cypress semiconductor CEO T. J. Rodgers’s 2000 manifesto, “Why Silicon Valley Should Not Normalize Relations with Washington, D.C.” (pdf). Or indeed Milton Friedman’s 1999 speech on “The Business Community’s Suicidal Impulse”: “You will rue the day when you called in the government. From now on the computer industry, which has been very fortunate in that it has been relatively free of government intrusion, will experience a continuous increase in government regulation.”

You (could have) read it here first.

Department of Bias

The Department of Justice just invalidated a move by the residents of Kinston, North Carolina, to have non-partisan local elections. Rationale?

The Justice Department’s ruling, which affects races for City Council and mayor, went so far as to say partisan elections are needed so that black voters can elect their “candidates of choice” - identified by the department as those who are Democrats and almost exclusively black.

The department ruled that white voters in Kinston will vote for blacks only if they are Democrats and that therefore the city cannot get rid of party affiliations for local elections because that would violate black voters’ right to elect the candidates they want.

This, coming from the same Department of Justice officials that wouldn’t know a civil rights violation if it picked up a club and barred them access to a polling place.

Drug War Insanity Goes Up in Smoke

As my colleague David Rittgers notes below, the announcement by the Department of Justice that it will no longer seek to arrest medical marijuana users is a breakthrough for common sense in federal drug policy.

It is bizarre that it takes a major policy announcement to spell out what a waste of police and court time it is to investigate the ill people who use medical marijuana. Historians will surely look back on this period and ponder how our government could have seriously embraced the opposite policy, in the same way we look back at the strange days of alcohol prohibition.

The Obama administration should be taking much bolder steps to stop the criminalization of drug use more generally. More and more people have come to recognize that the drug war has been given a fair chance to work, but it has proved to be a grand failure.